MAL-2026-10438

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/netspeedutil/MAL-2026-10438.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10438
Published
2026-07-13T09:22:42Z
Modified
2026-07-13T10:47:05.998835027Z
Summary
Malicious code in netspeedutil (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (e07c032df7e95243bcbf1af8d20d23ef9427620fc3050965ca1a3b3ce9faa4f1)

On install, setup.js walks up to the installer's project tree and scans image files for a 'STEG' marker. When found, it AES-256-CBC-decrypts an embedded steganographic payload that points to a file inside the installer's node_modules and uses a regex (cli.command("build [root]"...finally{...}) to patch that third-party CLI's build command, prepending an import of netspeedutil/inject.js and an await inject() call inside the build's finally block. Once tampered, every subsequent project build runs inject.js, which uses javascript-obfuscator (control-flow flattening, dead-code injection, base64 string-array encoding) to embed an obfuscated client into dist/index.html. That client opens a WebRTC TURN connection to a hardcoded attacker host at 13.234.111.178:3478 as a covert C2 / signaling channel and renders attacker-supplied DOM content to end users of any site the developer ships. The package's stated purpose ('Fast string matching and pattern validation utilities') is a cover story unrelated to the actual code. This is a build-pipeline supply-chain compromise: the installer's production artifacts are silently weaponized against their own end users.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-13T09:22:42Z",
            "versions": [
                "1.0.13"
            ],
            "sha256": "e07c032df7e95243bcbf1af8d20d23ef9427620fc3050965ca1a3b3ce9faa4f1",
            "id": "IN-MAL-2026-010209",
            "source": "amazon-inspector",
            "import_time": "2026-07-13T10:37:37.939109253Z"
        }
    ]
}
References
Credits

Affected packages

npm / netspeedutil

Package

Affected ranges

Affected versions

1.*
1.0.13

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "bb6174c466fa232643a2327bf15b440ab369f4023609d694fa1cdb147f47174e9e36d9",
            "sha256": "7efde05d8f284658812cf01c6081f0e4495839048f1f8f6ce4048cdb1deced49",
            "path": "setup.js"
        },
        {
            "tlsh": "d0d1c685bcf32190426360bad27fd10a6232e5433509d9587f8cda519f9871cadb77dc",
            "sha256": "01a8d0caa80766a19edd7f016a2dd6c2d89a7d6815a3f7566681ebe2ec3419a0",
            "path": "inject.js"
        },
        {
            "tlsh": "9dd0c2208c21ea6326c926950479c4436ab24c1b0204ac6c97c310a8868e3ff59be30e",
            "sha256": "42857935f9c782d95b778fa65b7bb0e29849a57bc92a163469bec277c09fbedb",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha1": "d98c7d0d3c8da0118074c9d95cb6e8e946f2c53b",
                "sha512_sri": "sha512-CJs9D8nxvXMTYdEjwFJzOwXynDYXIwmwu4MJPVJqnSUy/xftPZ300fVhaKCb2FiCvzWqRh4Q3I8QzyONZsWAkQ=="
            },
            "filename": "netspeedutil-1.0.13.tgz"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/netspeedutil/MAL-2026-10438.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]